#terragrunt (2020-12)

terragrunt

Terragrunt discussions Archive: https://archive.sweetops.com/terragrunt/

2020-12-23

tim.davis.instinct avatar
tim.davis.instinct

Hey all, just wanted to make sure it was put here for anyone who didn’t see it on the Office-Hours this past week. Remote-Run support for Terragrunt is now available in env0!: https://www.env0.com/blog/terragrunt-release

Time to DRY those IaC configurations with env0 and Terragrunt! | env0 blog attachment image

Hello, env0 and Terragrunt fans alike! It’s new-feature-day, yet again! But this time, we have something really special for you. We’re giving you the ability to completely change the game on the Infrastructure as Code files that you use to deploy and manage environments with our platform! Introducing remote-run support for Terragrunt workflows, now available in env0!

party_parrot2

2020-12-16

David avatar
David

Interested in knowing how others are doing testing changes locally before pushing to a remote, in particular ones that support plan-all/apply-all commands

David avatar
David

currently I use --terragrunt-source with a path directly to the module which I would like to apply local changes to

David avatar
David

this doesn’t work well for a plan all scenario, terragrunt will complain that it isn’t able to find modules for the other terragrunt modules

David avatar
David

--terragrunt-source ~/dev/work/forks/example-infrastructure-modules//example-service for example

David avatar
David

I have tried just passing the path to the module folder but ran into errors

paultath81 avatar
paultath81

has anyone run into this issue when running terragrunt plan

Failed to get existing workspaces: S3 bucket does not exist
paultath81 avatar
paultath81

running terragrunt plan does create the bucket for me but yet it’s stating it cannot find an existing bucket. The only way to get around this is if i wack out the .terragrunt-cache dir

2020-12-15

NVMeÐÐi avatar
NVMeÐÐi

anyone have example code of best standards for handling route53 with terragrunt?

2020-12-14

2020-12-11

2020-12-10

paultath81 avatar
paultath81

Needing help with setting terragrunt to use aws assume role

Joe Niland avatar
Joe Niland

I use it with awscli and aws-vault

Joe Niland avatar
Joe Niland

I could try to write a gist

paultath81 avatar
paultath81

That would be nice example to reference if you don’t mind

paultath81 avatar
paultath81

Thx Joe

Joe Niland avatar
Joe Niland

not sure if that’s what you’re after

Joe Niland avatar
Joe Niland

I am just using the standard generate “provider” block from terragrunt docs

paultath81 avatar
paultath81

AWSOME thx Joe

1
paultath81 avatar
paultath81

I’m having a hard time understanding how to setup assume role

David avatar
David

Hello! Have you seen https://terragrunt.gruntwork.io/docs/features/work-with-multiple-aws-accounts/? If so, do you have any questions that I could expand on?

Work with multiple AWS accounts

Learn how the Terragrunt may help you to work with mulitple AWS accounts.

paultath81 avatar
paultath81

Thx @David I’ve read it but still a bit lost

David avatar
David

that makes sense, I remember it took me a while to get it working the first time. What do you have so far? Do you already have a set of IAM Roles you are trying to use?

David avatar
David

And are you trying to get this to work locally, or on a CI system, or both?

paultath81 avatar
paultath81

atm i created an iam user using it’s access key/id whereas i’m calling the keys from ~/.aws/credentials file, but in my code i’m calling it via profile name

remote_state {
  backend = "s3"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket         = "non-production-xxx"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "us-west-2"
    profile        = "non-prod"
    encrypt        = true
    dynamodb_table = "my-lock-table"
  }
}
paultath81 avatar
paultath81

i am planning to setup Atlantis with this as well

David avatar
David

Nice! With Terragrunt, that looks like a good setup for assuming a particular profile for looking-up/updating the tfstate, but you’ll also need to assume a role using the provider block in your terraform code so that the resources you update are created using that same profile

paultath81 avatar
paultath81

yeah that’s the confusing part which i need help with. I never understand how to use assume roles with terraform/terragrunt

paultath81 avatar
paultath81

Another question which i do have is when using the remote_state backend within terragrunt.hcl. Does that need to be included into the source repo of terraform code? or just the root dir of my module?

paultath81 avatar
paultath81

e.g here’s my main module i will use for all env which in terragrunt.hcl it has a terraform block to call the source of my terraform module in github

paultath81 avatar
paultath81
11:19:20 PM
paultath81 avatar
paultath81
include {
  path = find_in_parent_folders()
}

terraform {
  source = "[email protected]:PTATH81/terraform-aws-ec2.git//app?ref=v0.0.1"

  extra_arguments "common_vars" {
    commands = get_terraform_commands_that_need_vars()

    arguments = [
      "-var-file=non-prod.tfvars"
    ]
  }
}
David avatar
David

Gotcha! There are likely better ways of doing this nowadays after the go aws-sdk fixed up some bugs a few months ago, but my setup that works both locally and on atlantis is:

Have a single .tf file that I inject into all modules with a generate block in the parent terragrunt files that contains:

provider "aws" {
  profile = var.profile
  region  = var.region

  assume_role {
    role_arn     = var.role_to_assume
    session_name = "terraform"
  }

  allowed_account_ids = var.allowed_account_ids
}

Then in a separate parent terragrunt file for each environment, I add an input:

role_to_assume      = get_env("DEV_IAM_ROLE", "arn:aws:iam::1234567890:role/Sandbox-Admin")

where identity is the aws-profile for the primary IAM user locally, and that role is the role that will give the local user permissions to do stuff in a given env.

Then on Atlantis, I add the envs from terraform like:

envs = {
    ...
    DEV_IAM_ROLE       = dependency.dev_role.outputs.external_role_arn
    STAGING_IAM_ROLE   = dependency.staging_role.outputs.external_role_arn
    PROD_IAM_ROLE      = dependency.prod_role.outputs.external_role_arn
    COMMONS_IAM_ROLE   = dependency.commons_role.outputs.external_role_arn
    ATLANTIS_IAM_ROLE  = dependency.atlantis_role.outputs.external_role_arn
    ...
  }

It works pretty well

David avatar
David

tfstate stuff should only go in your parent terragrunt config, so long as you use a generate field definition inside the remote_state block of your parent terragrunt config file

paultath81 avatar
paultath81

this is great to see how others are using this. I now have a greater understanding. Atm my .hcl in the root/parent tree is using

remote_state {
  backend = "s3"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket         = "production-tfstate"
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = "us-west-2"
    profile        = "non-prod"
    encrypt        = true
    dynamodb_table = "my-lock-table"
  }
}
paultath81 avatar
paultath81

i plan to use variables in the config

paultath81 avatar
paultath81

thx @David !

David avatar
David

you are very welcome

paultath81 avatar
paultath81

Hi David me again. I ran into an issue

paultath81 avatar
paultath81

i’m following the file structure as

├── qa
│   ├── app
│   │   └── terragrunt.hcl
│   ├── mysql
│   │   └── terragrunt.hcl
│   └── vpc
│       └── terragrunt.hcl

and when i ran a plan or apply i get the error Did not find any Terraform files (*.tf) in .terragrunt-cache although there is many .tf files in my git module

David avatar
David

Interesting, what directory are you running your terragrunt commands in?

It might be worthwhile to run a quick find . -type d -name ".terragrunt-cache" -prune -exec rm -rf {} \; from the root of your repo to clear out all the caches and make sure it isn’t just an issue with a corrupted cache

paultath81 avatar
paultath81
01:49:48 AM

i’m running it in my app dir

paultath81 avatar
paultath81
01:52:17 AM

after updating my source github url from [email protected]:PTATH81/terraform-aws-ec2.git//app?ref=v0.0.2 to [email protected]:PTATH81/terraform-aws-ec2.git the error went away but now i get

paultath81 avatar
paultath81

strange..

David avatar
David

I can’t find much about that online unfortunately. What versions of terraform and terragrunt are you using?

Can you try clearing the cache and then running a TF_LOG=trace terragrunt init and seeing if the extra logs have any helpful hints?

paultath81 avatar
paultath81

terragrunt version v0.23.40

paultath81 avatar
paultath81

Terraform v0.14.2

paultath81 avatar
paultath81

let me clear cache

paultath81 avatar
paultath81

i also enabled TRACE for TF_LOG

paultath81 avatar
paultath81

here’s what i’m seeing

-----------------------------------------------------
2020/12/10 18:14:20 [DEBUG] [aws-sdk-go] {}
2020/12/10 18:14:20 [WARN] failed to fetch state md5: invalid md5
2020/12/10 18:14:20 [DEBUG] Service discovery for registry.terraform.io> at <https://registry.terraform.io/.well-known/terraform.json
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://registry.terraform.io/.well-known/terraform.json>

Initializing provider plugins...
- Finding latest version of hashicorp/aws...
2020/12/10 18:14:20 [DEBUG] GET <https://registry.terraform.io/v1/providers/hashicorp/aws/versions>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://registry.terraform.io/v1/providers/hashicorp/aws/versions>
2020/12/10 18:14:20 [DEBUG] GET <https://registry.terraform.io/v1/providers/hashicorp/aws/3.20.0/download/windows/amd64>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://registry.terraform.io/v1/providers/hashicorp/aws/3.20.0/download/windows/amd64>
2020/12/10 18:14:20 [DEBUG] GET <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS>
2020/12/10 18:14:20 [DEBUG] GET <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS.sig>
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_SHA256SUMS.sig>
- Installing hashicorp/aws v3.20.0...
2020/12/10 18:14:20 [TRACE] providercache.Dir.InstallPackage: installing registry.terraform.io/hashicorp/aws> v3.20.0 from <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_windows_amd64.zip
2020/12/10 18:14:20 [TRACE] HTTP client GET request to <https://releases.hashicorp.com/terraform-provider-aws/3.20.0/terraform-provider-aws_3.20.0_windows_amd64.zip>
2020/12/10 18:14:21 [DEBUG] Provider signed by 51852D87348FFC4C HashiCorp Security <[email protected]>

Error: Failed to install provider

Error while installing hashicorp/aws v3.20.0: open
.terraform\providers\registry.terraform.io\hashicorp\aws.20.0\windows_amd64\terraform-provider-aws_v3.20.0_x5.exe:
The system cannot find the path specified.

[terragrunt] 2020/12/10 18:14:21 Hit multiple errors:
exit status 1
loren avatar
loren

terragrunt does not, technically, yet support tf 0.14, so you may be layering one problem on another…

paultath81 avatar
paultath81

ah

paultath81 avatar
paultath81

let me rollback the ver i have

paultath81 avatar
paultath81

thx @loren

paultath81 avatar
paultath81

what ver do you recommend ?

paultath81 avatar
paultath81

v0.13.5 ok?

loren avatar
loren

if you check their github issues, they are tracking it. it’s just a bit too new still for them to claim support. the issues indicate some folks have gotten it to work, but with caveats. i haven’t tried yet myself, so am unsure of exactly what caveats

loren avatar
loren

yeah, i use terragrunt with tf 0.13.5 regularly

David avatar
David

and if nothing else, terragrunt 0.25.0 was the first to even support terraform 0.13.x.

FWIW, I use v0.25.4 with terraform 0.14.1 with no issues, and run it against ~600 modules

paultath81 avatar
paultath81

sweet you guys are awsome

paultath81 avatar
paultath81

i will let you know how it goes

paultath81 avatar
paultath81

i still ran into the issue, but did notice @loren comment on this from https://github.com/gruntwork-io/terragrunt/issues/581

(updating the env TERRAGRUNT_DOWNLOAD path which does do away with the error. But once removed again the error is the same. @David what system are you running terragrunt on? I’m on windows.

Issues while running tests on Windows · Issue #581 · gruntwork-io/terragrunt

This issue is to keep track of the errors encountered while running tests on Windows Filename too long — FAIL: TestLocalWithRelativeExtraArgsWindows (2.42s) integration_test.go Failed to ru…

paultath81 avatar
paultath81

cutting down the dir structure helped for now.

loren avatar
loren

oh you’re on windows. yes, it is just about mandatory to set TERRAGRUNT_DOWNLOAD. it’s not bullet proof but helps a lot

loren avatar
loren

an even better option is to use WSL and avoid the path issue entirely

David avatar
David


what system are you running terragrunt on?
Locally, I’m on a mac, and our Atlantis runs on AmazonLinux2. My only windows experience is some testing on the https://github.com/transcend-io/terragrunt-atlantis-config library I maintain, but I’m not super experienced with it.

transcend-io/terragrunt-atlantis-config

Generate Atlantis config for Terragrunt projects. Contribute to transcend-io/terragrunt-atlantis-config development by creating an account on GitHub.

paultath81 avatar
paultath81

Unfortunately Yes windows as we use aws workspaces and I’m afraid it doesn’t support wsl

loren avatar
loren

use session manager to connect to a linux dev box or try cloud9…

loren avatar
loren

or use vs code with the remote ssh plugin…

paultath81 avatar
paultath81

thx for the tip @loren

paultath81 avatar
paultath81

hi Guys sorry to bother again. What is the preferred location to store your backend terragrunt.hcl file? Should i include that in the root dir of my terraform module (this is located in it’s own separate git repo)? Or should I include it in my environment module (this is also in it’s own separate git repo)?

David avatar
David

by “backend terragrunt.hcl file” are you referring to the parent config file that the other child modules include?

paultath81 avatar
paultath81

yes the parent which the child module has when using

include {
  path = find_in_parent_folders()
}
David avatar
David

hmm, I’m not sure on the best practice here. I use a monorepo for all my config, so I have the parent files at the root of the git repo. I would think that there would be some implications with Atlantis if you put the config file in a separate repo, which might complicate things

paultath81 avatar
paultath81

i see - at first i was too also using monorepo which works great, but i figured “what if” i try it this way….

paultath81 avatar
paultath81

i wonder if folks out there may have come across the path i’m looking towards here too

paultath81 avatar
paultath81

thx again @David and happy Monday!

2020-12-07

David avatar
David

Is there a way to do good old terraform in a terragrunt.hcl file?

David avatar
David

I would like to construct iam policy documents using data calls and then passing them in the inputs = { }

1
David avatar
David
cloudposse/terraform-aws-iam-role

A Terraform module that creates IAM role with provided JSON IAM polices documents. - cloudposse/terraform-aws-iam-role

David avatar
David

I haven’t tested it, but you might be able to do it by:

• Adding a generate block in terragrunt to write out a data source into your terraform module

• Putting an [override.tf](http://override.tf) file next to your terragrunt.hcl file where you override the policy field of the role to point to your generated data source Override files docs: https://www.terraform.io/docs/configuration/override.html

Personally, I just use jsonencode and create the IAM Policy in terragrunt

Override Files - Configuration Language - Terraform by HashiCorp

Override files allow additional settings to be merged into existing configuration objects.

David avatar
David

jsonencode is really nice because you can use terragrunt vars / dependency outputs the same way you’d use with iam_policy data sources

David avatar
David

Can you paste an example of using jsonencode?

David avatar
David

I am guessing what you mean is you’re using a module written in terraform that uses jsonecode to generate IAM policy documents using the output of dependency blocks in terragrunt

David avatar
David
include {
  path = find_in_parent_folders("terragrunt-config-dev.hcl")
}

terraform {
  source = "git::[email protected]:terraform-aws-modules/terraform-aws-iam//modules/iam-policy?ref=v3.4.0"
}

dependency datadog_param {
  config_path = "${get_parent_terragrunt_dir()}/foo/bar/datadog_ssm_param"
}

dependency ssh_key_param {
  config_path = "${get_parent_terragrunt_dir()}/foo/baz/ssh_key_param"
}

inputs = {
  name        = "FooBarPolicy"
  description = "demo policy"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowFetchingSecrets"
        Effect = "Allow"
        Action = [
          "ssm:GetParameter",
          "ssm:GetParameters",
          "secretsmanager:GetSecretValue"
        ]
        Resource = [
          dependency.datadog_param.outputs.arn,
          dependency.ssh_key_param.outputs.arn,
        ]
      },
      {
        Sid      = "AllowReadingKms",
        Effect   = "Allow",
        Action   = "kms:*",
        Resource = "*",
      }
    ]
  })
}

Nah, I create the policy entirely in terragrunt

David avatar
David

hm

David avatar
David

What does datadog_param do?

David avatar
David

Is it just a data-call module?

David avatar
David

It’s just another module. In this case, it creates an SSM SecureString parameter. Then this policy module says to create an IAM Policy that has permissions to read/decrypt that SSM Parameter’s value

David avatar
David

Do you store the value of the DD api key in SSM using terraform?

David avatar
David

My policy also needs access to a DD key lol

1
David avatar
David

I am just curious to know how you’re doing it

David avatar
David

yeah I do. We use Vault as our source of truth for secrets, and then have a really basic module that copies a Vault Secret -> SSM for when using SSM is easier than Vault for some service

David avatar
David

We also have a Lambda function that copies keys in bulk from Vault -> SSM, and then in our policies we use a prefix + wildcard for the output of that lambda run

2020-12-03

Andrea avatar
Andrea

yep, that worked. thanks!

Andrea avatar
Andrea

not sure how easy/hard it would be to add the AWS profile to kubergrunt but that it would be a nice to have…

Andrea avatar
Andrea

Andrea avatar
Andrea

thanks @!

2020-12-02

Andrea avatar
Andrea

Hi, do you know if there is a way to specify which AWS credentials to use in kubergrunt please?

Andrea avatar
Andrea

for example

kubergrunt eks deploy --region eu-west-1 --asg-name k8s_workers_windows --kubectl-context-name k8s-test

only works when targeting my default AWS account

Andrea avatar
Andrea

to make the command work with any other account, I need to export the AWS access and secret keys like so:

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
pjaudiomv avatar
pjaudiomv

You can probably use the AWS_PROFILE env var

    keyboard_arrow_up